Office 



THE WHITE HOUSE 

of the Press Secretary 



EMBARGOED UNTIL DELIVERY OF THE PRESIDENT'S February 12, 2013 
STATE OF THE UNION ADDRESS 

EXECUTIVE ORDER 



IMPROVING CRITICAL INFRASTRUCTURE CYBERSECURITY 



By the authority vested in me as President by the 
Constitution and the laws of the United States of America, it 
is hereby ordered as follows: 

Section 1. Policy . Repeated cyber intrusions into 
critical infrastructure demonstrate the need for improved 
cybersecurity . The cyber threat to critical infrastructure 
continues to grow and represents one of the most serious 
national security challenges we must confront. The national and 
economic security of the United States depends on the reliable 
functioning of the Nation's critical infrastructure in the face 
of such threats. It is the policy of the United States to 
enhance the security and resilience of the Nation's critical 
infrastructure and to maintain a cyber environment that 
encourages efficiency, innovation, and economic prosperity while 
promoting safety, security, business confidentiality, privacy, 
and civil liberties. We can achieve these goals through a 
partnership with the owners and operators of critical 
infrastructure to improve cybersecurity information sharing and 
collaboratively develop and implement risk-based standards. 

Sec . 2_. Critical Infrastructure . As used in this order, 
the term critical infrastructure means systems and assets, 
whether physical or virtual, so vital to the United States that 
the incapacity or destruction of such systems and assets would 
have a debilitating impact on security, national economic 
security, national public health or safety, or any combination 
of those matters. 

Sec . 3. Policy Coordination . Policy coordination, 
guidance, dispute resolution, and periodic in-progress reviews 
for the functions and programs described and assigned herein 
shall be provided through the interagency process established in 
Presidential Policy Directive-1 of February 13, 2009 
(Organization of the National Security Council System) , or any 
successor . 

Sec . 4_. Cybersecurity Information Sharing . (a) It is the 
policy of the United States Government to increase the volume, 
timeliness, and quality of cyber threat information shared with 
U.S. private sector entities so that these entities may better 
protect and defend themselves against cyber threats. Within 
120 days of the date of this order, the Attorney General, the 
Secretary of Homeland Security (the "Secretary"), and the 
Director of National Intelligence shall each issue instructions 
consistent with their authorities and with the requirements of 
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section 12 (c) of this order to ensure the timely production of 
unclassified reports of cyber threats to the U.S. homeland that 
identify a specific targeted entity. The instructions shall 
address the need to protect intelligence and law enforcement 
sources, methods, operations, and investigations. 

(b) The Secretary and the Attorney General, in 
coordination with the Director of National Intelligence, shall 
establish a process that rapidly disseminates the reports 
produced pursuant to section 4 (a) of this order to the targeted 
entity. Such process shall also, consistent with the need to 
protect national security information, include the dissemination 
of classified reports to critical infrastructure entities 
authorized to receive them. The Secretary and the Attorney 
General, in coordination with the Director of National 
Intelligence, shall establish a system for tracking the 
production, dissemination, and disposition of these reports. 

(c) To assist the owners and operators of critical 
infrastructure in protecting their systems from unauthorized 
access, exploitation, or harm, the Secretary, consistent with 

6 U.S.C. 143 and in collaboration with the Secretary of Defense, 
shall, within 120 days of the date of this order, establish 
procedures to expand the Enhanced Cybersecurity Services program 
to all critical infrastructure sectors. This voluntary 
information sharing program will provide classified cyber threat 
and technical information from the Government to eligible 
critical infrastructure companies or commercial service 
providers that offer security services to critical 
infrastructure . 

(d) The Secretary, as the Executive Agent for the 
Classified National Security Information Program created under 
Executive Order 13549 of August 18, 2010 (Classified National 
Security Information Program for State, Local, Tribal, and 
Private Sector Entities) , shall expedite the processing of 
security clearances to appropriate personnel employed by 
critical infrastructure owners and operators, prioritizing the 
critical infrastructure identified in section 9 of this order. 

(e) In order to maximize the utility of cyber threat 
information sharing with the private sector, the Secretary shall 
expand the use of programs that bring private sector subject- 
matter experts into Federal service on a temporary basis. These 
subject matter experts should provide advice regarding the 
content, structure, and types of information most useful to 
critical infrastructure owners and operators in reducing and 
mitigating cyber risks. 

Sec . 5_. Privacy and Civil Liberties Protections . (a) 
Agencies shall coordinate their activities under this order with 
their senior agency officials for privacy and civil liberties 
and ensure that privacy and civil liberties protections are 
incorporated into such activities. Such protections shall be 
based upon the Fair Information Practice Principles and other 
privacy and civil liberties policies, principles, and frameworks 
as they apply to each agency's activities. 

(b) The Chief Privacy Officer and the Officer for Civil 
Rights and Civil Liberties of the Department of Homeland 
Security (DHS) shall assess the privacy and civil liberties 
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risks of the functions and programs undertaken by DHS as called 
for in this order and shall recommend to the Secretary ways to 
minimize or mitigate such risks, in a publicly available report, 
to be released within 1 year of the date of this order. Senior 
agency privacy and civil liberties officials for other agencies 
engaged in activities under this order shall conduct assessments 
of their agency activities and provide those assessments to DHS 
for consideration and inclusion in the report. The report shall 
be reviewed on an annual basis and revised as necessary. The 
report may contain a classified annex if necessary. Assessments 
shall include evaluation of activities against the Fair 
Information Practice Principles and other applicable privacy and 
civil liberties policies, principles, and frameworks. Agencies 
shall consider the assessments and recommendations of the report 
in implementing privacy and civil liberties protections 
for agency activities. 

(c) In producing the report required under subsection (b) 
of this section, the Chief Privacy Officer and the Officer for 
Civil Rights and Civil Liberties of DHS shall consult with the 
Privacy and Civil Liberties Oversight Board and coordinate with 
the Office of Management and Budget (OMB) . 

(d) Information submitted voluntarily in accordance with 
6 U.S.C. 133 by private entities under this order shall be 
protected from disclosure to the fullest extent permitted by 
law . 

Sec . 6. Consultative Process . The Secretary shall 
establish a consultative process to coordinate improvements to 
the cybersecurity of critical infrastructure. As part of the 
consultative process, the Secretary shall engage and consider 
the advice, on matters set forth in this order, of the Critical 
Infrastructure Partnership Advisory Council; Sector Coordinating 
Councils; critical infrastructure owners and operators; Sector- 
Specific Agencies; other relevant agencies; independent 
regulatory agencies; State, local, territorial, and tribal 
governments; universities; and outside experts. 

Sec . 1_. Baseline Framework to Reduce Cyber Risk to 
Critical Infrastructure . (a) The Secretary of Commerce shall 
direct the Director of the National Institute of Standards and 
Technology (the "Director") to lead the development of a 
framework to reduce cyber risks to critical infrastructure (the 
"Cybersecurity Framework"). The Cybersecurity Framework shall 
include a set of standards, methodologies, procedures, and 
processes that align policy, business, and technological 
approaches to address cyber risks. The Cybersecurity Framework 
shall incorporate voluntary consensus standards and industry 
best practices to the fullest extent possible. The 
Cybersecurity Framework shall be consistent with voluntary 
international standards when such international standards will 
advance the objectives of this order, and shall meet the 
requirements of the National Institute of Standards and 
Technology Act, as amended (15 U.S.C. 271 et seq. ) , the National 
Technology Transfer and Advancement Act of 1995 (Public Law 104- 
113), and OMB Circular A-119, as revised. 

(b) The Cybersecurity Framework shall provide a 
prioritized, flexible, repeatable, performance-based, and 
cost-effective approach, including information security measures 
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and controls, to help owners and operators of critical 
infrastructure identify, assess, and manage cyber risk. The 
Cybersecurity Framework shall focus on identifying cross-sector 
security standards and guidelines applicable to critical 
infrastructure. The Cybersecurity Framework will also identify 
areas for improvement that should be addressed through future 
collaboration with particular sectors and standards-developing 
organizations. To enable technical innovation and account for 
organizational differences, the Cybersecurity Framework will 
provide guidance that is technology neutral and that enables 
critical infrastructure sectors to benefit from a competitive 
market for products and services that meet the standards, 
methodologies, procedures, and processes developed to address 
cyber risks. The Cybersecurity Framework shall include guidance 
for measuring the performance of an entity in implementing the 
Cybersecurity Framework. 



(c) The Cybersecurity Framework shall include 
methodologies to identify and mitigate impacts of the 
Cybersecurity Framework and associated information security 
measures or controls on business confidentiality, and to protect 
individual privacy and civil liberties. 



(d) In developing the Cybersecurity Framework, the 
Director shall engage in an open public review and comment 
process. The Director shall also consult with the Secretary, 
the National Security Agency, Sector-Specific Agencies and other 
interested agencies including OMB, owners and operators of 
critical infrastructure, and other stakeholders through the 
consultative process established in section 6 of this order. 
The Secretary, the Director of National Intelligence, and the 
heads of other relevant agencies shall provide threat and 
vulnerability information and technical expertise to inform the 
development of the Cybersecurity Framework. The Secretary shall 
provide performance goals for the Cybersecurity Framework 
informed by work under section 9 of this order. 



(e) Within 240 days of the date of this order, the 
Director shall publish a preliminary version of the 
Cybersecurity Framework (the "preliminary Framework"). Within 
1 year of the date of this order, and after coordination with 
the Secretary to ensure suitability under section 8 of this 
order, the Director shall publish a final version of the 
Cybersecurity Framework (the "final Framework"). 



(f) Consistent with statutory responsibilities, the 
Director will ensure the Cybersecurity Framework and related 
guidance is reviewed and updated as necessary, taking into 
consideration technological changes, changes in cyber risks, 
operational feedback from owners and operators of critical 
infrastructure, experience from the implementation of section 8 
of this order, and any other relevant factors. 



Sec . 8_. Voluntary Critical Infrastructure Cybersecurity 
Program. (a) The Secretary, in coordination with Sector- 
Specific Agencies, shall establish a voluntary program to 
support the adoption of the Cybersecurity Framework by owners 
and operators of critical infrastructure and any other 
interested entities (the "Program"). 
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(b) Sector-Specific Agencies, in consultation with the 
Secretary and other interested agencies, shall coordinate with 
the Sector Coordinating Councils to review the Cybersecurity 
Framework and, if necessary, develop implementation guidance or 
supplemental materials to address sector-specific risks and 
operating environments. 



(c) Sector-Specific Agencies shall report annually to the 
President, through the Secretary, on the extent to which owners 
and operators notified under section 9 of this order are 
participating in the Program. 



(d) The Secretary shall coordinate establishment of a set 
of incentives designed to promote participation in the Program. 
Within 120 days of the date of this order, the Secretary and the 
Secretaries of the Treasury and Commerce each shall make 
recommendations separately to the President, through the 
Assistant to the President for Homeland Security and 
Counterterrorism and the Assistant to the President for Economic 
Affairs, that shall include analysis of the benefits and 
relative effectiveness of such incentives, and whether the 
incentives would require legislation or can be provided under 
existing law and authorities to participants in the Program. 

(e) Within 120 days of the date of this order, the 
Secretary of Defense and the Administrator of General Services, 
in consultation with the Secretary and the Federal Acquisition 
Regulatory Council, shall make recommendations to the President, 
through the Assistant to the President for Homeland Security and 
Counterterrorism and the Assistant to the President for Economic 
Affairs, on the feasibility, security benefits, and relative 
merits of incorporating security standards into acquisition 
planning and contract administration. The report shall address 
what steps can be taken to harmonize and make consistent 
existing procurement requirements related to cybersecurity. 



Sec . 9_. Identification of Critical Infrastructure at 
Greatest Risk . (a) Within 150 days of the date of this order, 
the Secretary shall use a risk-based approach to identify 
critical infrastructure where a cybersecurity incident could 
reasonably result in catastrophic regional or national effects 
on public health or safety, economic security, or national 
security. In identifying critical infrastructure for this 
purpose, the Secretary shall use the consultative process 
established in section 6 of this order and draw upon the 
expertise of Sector-Specific Agencies. The Secretary shall 
apply consistent, objective criteria in identifying such 
critical infrastructure. The Secretary shall not identify any 
commercial information technology products or consumer 
information technology services under this section. The 
Secretary shall review and update the list of identified 
critical infrastructure under this section on an annual basis, 
and provide such list to the President, through the Assistant to 
the President for Homeland Security and Counterterrorism and the 
Assistant to the President for Economic Affairs. 



(b) Heads of Sector-Specific Agencies and other relevant 
agencies shall provide the Secretary with information necessary 
to carry out the responsibilities under this section. The 
Secretary shall develop a process for other relevant 
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stakeholders to submit information to assist in making the 
identifications required in subsection (a) of this section. 

(c) The Secretary, in coordination with Sector-Specific 
Agencies, shall confidentially notify owners and operators of 
critical infrastructure identified under subsection (a) of this 
section that they have been so identified, and ensure identified 
owners and operators are provided the basis for the 
determination. The Secretary shall establish a process through 
which owners and operators of critical infrastructure may submit 
relevant information and request reconsideration of 
identifications under subsection (a) of this section. 

Sec. 1_0. Adoption of Framework . (a) Agencies with 
responsibility for regulating the security of critical 
infrastructure shall engage in a consultative process with DHS, 
OMB, and the National Security Staff to review the preliminary 
Cybersecurity Framework and determine if current cybersecurity 
regulatory requirements are sufficient given current and 
projected risks. In making such determination, these agencies 
shall consider the identification of critical infrastructure 
required under section 9 of this order. Within 90 days of the 
publication of the preliminary Framework, these agencies shall 
submit a report to the President, through the Assistant to the 
President for Homeland Security and Counterterrorism, the 
Director of OMB, and the Assistant to the President for Economic 
Affairs, that states whether or not the agency has clear 
authority to establish requirements based upon the Cybersecurity 
Framework to sufficiently address current and projected cyber 
risks to critical infrastructure, the existing authorities 
identified, and any additional authority required. 

(b) If current regulatory requirements are deemed to be 
insufficient, within 90 days of publication of the final 
Framework, agencies identified in subsection (a) of this section 
shall propose prioritized, risk-based, efficient, and 
coordinated actions, consistent with Executive Order 12866 of 
September 30, 1993 (Regulatory Planning and Review), Executive 
Order 13563 of January 18, 2011 (Improving Regulation and 
Regulatory Review), and Executive Order 13609 of May 1, 2012 
(Promoting International Regulatory Cooperation) , to mitigate 
cyber risk. 

(c) Within 2 years after publication of the final 
Framework, consistent with Executive Order 13563 and Executive 
Order 13610 of May 10, 2012 (Identifying and Reducing Regulatory 
Burdens) , agencies identified in subsection (a) of this section 
shall, in consultation with owners and operators of critical 
infrastructure, report to OMB on any critical infrastructure 
subject to ineffective, conflicting, or excessively burdensome 
cybersecurity requirements. This report shall describe efforts 
made by agencies, and make recommendations for further actions, 
to minimize or eliminate such requirements. 

(d) The Secretary shall coordinate the provision of 
technical assistance to agencies identified in subsection (a) of 
this section on the development of their cybersecurity workforce 
and programs . 

(e) Independent regulatory agencies with responsibility 
for regulating the security of critical infrastructure are 
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encouraged to engage in a consultative process with the 
Secretary, relevant Sector-Specific Agencies, and other affected 
parties to consider prioritized actions to mitigate cyber risks 
for critical infrastructure consistent with their authorities. 

Sec . 1 1 . Definitions . (a) "Agency" means any authority 
of the United States that is an "agency" under 44 U.S.C. 
3502(1), other than those considered to be independent 
regulatory agencies, as defined in 44 U.S.C. 3502(5). 

(b) "Critical Infrastructure Partnership Advisory Council" 
means the council established by DHS under 6 U.S.C. 451 to 
facilitate effective interaction and coordination of critical 
infrastructure protection activities among the Federal 
Government; the private sector; and State, local, territorial, 
and tribal governments. 

(c) "Fair Information Practice Principles" means the eight 
principles set forth in Appendix A of the National Strategy for 
Trusted Identities in Cyberspace. 

(d) "Independent regulatory agency" has the meaning given 
the term in 44 U.S.C. 3502(5). 

(e) "Sector Coordinating Council" means a private sector 
coordinating council composed of representatives of owners and 
operators within a particular sector of critical infrastructure 
established by the National Infrastructure Protection Plan or 
any successor. 

(f) "Sector-Specific Agency" has the meaning given the 
term in Presidential Policy Directive-21 of February 12, 2013 
(Critical Infrastructure Security and Resilience) , or any 
successor . 

Sec. 12 . General Provisions . (a) This order shall be 
implemented consistent with applicable law and subject to the 
availability of appropriations. Nothing in this order shall be 
construed to provide an agency with authority for regulating the 
security of critical infrastructure in addition to or to a 
greater extent than the authority the agency has under existing 
law. Nothing in this order shall be construed to alter or limit 
any authority or responsibility of an agency under existing law. 

(b) Nothing in this order shall be construed to impair or 
otherwise affect the functions of the Director of OMB relating 
to budgetary, administrative, or legislative proposals. 

(c) All actions taken pursuant to this order shall be 
consistent with requirements and authorities to protect 
intelligence and law enforcement sources and methods. Nothing 
in this order shall be interpreted to supersede measures 
established under authority of law to protect the security and 
integrity of specific activities and associations that are in 
direct support of intelligence and law enforcement operations. 

(d) This order shall be implemented consistent with U.S. 
international obligations. 

(e) This order is not intended to, and does not, create 
any right or benefit, substantive or procedural, enforceable at 
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law or in equity by any party against the United States, its 
departments, agencies, or entities, its officers, employees, or 
agents, or any other person. 



BARACK OBAMA 



THE WHITE HOUSE, 

February 12, 2013. 



# # # 



